On 08/16/2017 10:51 AM, Jakob Bohm wrote:
On 16/08/2017 16:32, Tom Browder wrote:
On Wed, Aug 16, 2017 at 08:36 Salz, Rich via openssl-users
<openssl-users@xxxxxxxxxxx <mailto:openssl-users@xxxxxxxxxxx>> wrote:
➢ So, in summary, do I need to ensure cert serial numbers are
unique for my CA?
Why would you not? The specifications require it, but those
specifications are for interoperability. If nobody is ever going
to see your certs, then who cares what’s in them?
Well, I do like to abide by specs, and they will be used in various
browsers, so I think I will continue the unique serial numbering.
Thanks, Rich.
Modern browsers increasingly presume that such private CAs behave exactly
like the public CAs regulated through the CA/Browsers Forum (CAB/F) and
the per-browser root CA inclusion programs (the administrative processes
that determine which CAs are listed in browsers by default).
Among the relevant requirements now needed:
- Serial numbers are *exactly* 20 bytes (153 to 159 bits) both as
standalone
numbers and as DER-encoded numbers. Note that this is not the
default in
the openssl ca program.
- Serial numbers contain cryptographically strong random bits,
currently at
least 64 random bits, though it is best if the entire serial number
looks
random from the outside. This is not implemented by the openssl ca
program.
- Certificates are valid for at most 2 years (actually 825 days).
- SHA-1 (and other weak algorithms such as MD5) are no longer
permitted and
is already disappearing from Browser code.
- RSA shorter than 2048 bits (and other weak settings such as equally
short
DSA keys) are no longer permitted and is already disappearing from
Browser
code.
How universal is ECDSA p-256 support?
- If the certificate is issued to an e-mail address, that e-mail
address must
also be listed as an rfc822Name in a "Subject Alternative Name"
certificate
extension.
Which is also a problem in openssl. You have to put the SAN into the
cnf file. There are a number of hacks to do this from the command line.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
